There have been over 12,000 victims of the malware CryptoLocker in less than a full week, which has been locking up computers with ransomware over the past couple of months, researchers said.
“CryptoLocker servers are changed very often – it is rare that a command-and-control server remains online for more than a week,” according to security technology company Bitdefender Labs. That is one reason why the virus can avoid getting shut down by law enforcement. “However, once it has been reverse engineered, security researchers can pre-register the relevant domains and count connection attempts.”
Bitdefender Labs researchers did just that – they used Domain Name Server (DNS) sinkholes – and learned that 12,016 CryptoLocker-infected hosts attempted to contact the “sinkholed” domains. The bulk of those connections traced back to Internet Protocol (IP) addresses in the U.S.
“In fact, judging by the distribution of infected hosts and the payment methods available, it would seem that only systems in the U.S. are targeted, with the rest being collateral damage,” said the Bitdefender Labs blog post.
CryptoLocker came on the radar in September as a Trojan spreading through fake emails. The virus infiltrates then encrypts files in the user’s computer and any mapped network drives. Once it has locked the user out, it demands a MoneyPak or Bitcoin payment within three days.
Victims who pay the ransom of two Bitcoins will receive a key that unlocks their encrypted files. The key would end up destroyed 72 hours after infection, locking the files permanently, but the developers updated CryptoLocker on Nov. 1 to allow recovery beyond the allotted time at a ransom of 10 Bitcoins.
“Almost all the CryptoLocker command-and-control servers also host a public payment service through which victims can purchase decryption keys,” according to the Bitdefender Labs post.